Membership details of over 50 million users of defunct file-sharing service iMesh are for sale online, according to reports.
During iMesh’s heyday in the 2000s the peer-to-peer service was one of the biggest in the world, but following legal action it became a fully legal, paid-for platform. Although its popularity slipped it remained a well-liked tool for many file sharers, until it abruptly shut down in May this year.
Breach notification website LeakedSource says it obtained a copy of the database on the dark web. In total, 51,310,759 records are available, each containing a username, email address, password, IP address, location and the date the user joined iMesh. The breach dates from September 2013, LeakedSource says.
The vast majority of the breached accounts, nearly 14 million, are in the USA, followed by Turkey with 4 million and the UK with 3.6 million. Poland and Italy complete the top five.
According to LeakedSource the passwords were hashed and salted with the MD5 algorithm, which these days is very easy to crack.
Even more worrying is the passwords used by many of the hacked accounts. The most popular is ‘12345,’ which nearly one million accounts were using. Also popular were ‘123456789,’ ‘1234,’ ‘12345,’ and ‘password’. Despite countless warnings about using strong, secure passwords, many users are still going for easy to remember passwords that are incredibly easy to crack.
According to ZDNet, the database is for sale on the dark web for 1 bitcoin, equivalent to around £490, which is not a huge amount to pay for access to over 50 million user accounts.
Javvad Malik, security advocate at AlienVault, said there are a couple of possible reasons for this: “Primarily it would be down to the fact that iMesh is now defunct, so the value is only in seeing if users have reused the passwords elsewhere. The other factors would boil down to market pressures. There are other big breaches out there so in order to sell, it needs to be priced competitively.”
Those other breaches Malik mentions include LinkedIn and Twitter, both of which have recently been dealing with the fallout of user credentials being exposed.
“There has been a flurry of these mass data breaches recently, with MySpace, LinkedIn and now iMesh, falling victim. Each announcement demonstrates that data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant,” Brian Spector, CEO of MIRACL said.
Spector added that he believes passwords are no longer an adequate form of security.
“Customers are rightly demanding to be protected when they submit their valuable personal information on the web, and online services need to respond appropriately by replacing the password with more rigorous authentication technologies. For now, anyone affected should change their password, not only for this account but also for any other website where they may have used the same password.”
Mark Bower, global director at HPE Security - Data Security added: “Data has high value to attackers, and even though the information for sale on the black market is several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetized directly if stolen.”